In terms of tech transformation, all organizations are faced with the same questions: How can we become more agile? How can we release more quickly? How can we do more faster, more flexibly? But these questions fail to address the fact that security must remain in step with accelerating development - a unique challenge for large organizations like Best Buy. The solution has been a mix of education, communication, and a large amount of faith.
But these days a faith-based approach to application security isn’t enough. Here’s what we’ve learned from Matt Hurewitz, Best Buy associate director of application security and security architecture, based on his keynote address at The Remediation Summit Register here if you’d like to watch a replay of Matt’s keynote. Or read this blog post which summarizes some of the highlights from Matt’s talk.
Know your application security environment
Like most large retailers, Best Buy has a notable digital surface and perimeter. There are thousands of applications, thousands of microservices. Things that we take for granted, but which are integral to keeping the operation running. We have newer applications, and ones that we describe as “old enough to drink.” We’re using every piece of technology. And everything we do is at a size and scale that requires us to build our own solutions.
Basic questions about our application inventory and the number of hosts we have are hard to answer when operating at Best Buy scale. Recent cloud migrations and acquisitions of other companies contribute to our scale. How big is the problem? It’s intractable. And this is where faith comes in. We want to lift our security posture baseline and improve day after day, but an increasingly sprawling environment makes it difficult to stay fully in control across it all.
This challenge grows the more we move security to the execution and development side of the business. The holy grail of application security programs is shifting responsibility to the developers - empowering them to lead and champion data initiatives as part of their workflow. But to do this you need reliable datasets, and you need to know your application and asset inventory.
Many organizations struggle with creating this inventory, but it’s worth the effort. Once you have full visibility of your data, it’s easier to identify and prioritize the cyber risk most in need of attention on the development side. Data visibility is the key to moving from a faith-based approach to a risk-based approach to application security.
Credibility through communication
The security landscape becomes more and more challenging with the constant push for rapid, new feature development. We’re trying to go as quickly as possible, when really we should be going as quickly as is responsible. When I was working in engineering, I never believed I was writing insecure code. But when I moved to the security side, and had a new perspective, I was blown away by what I’d been missing.
At Best Buy, bridging the gap between security and development has come through building extremely close relationships between the security team and the engineering team. Often, security pros have to prove to developers that something is vulnerable. For an engineer, almost everything looks like “proposed not exploitable.” Security teams must build credibility through constant communication with the developers, educating them on how to identify and recognize cyber risk.
If developers are aware of the vulnerability landscape and have a clear understanding of the risks posed, they are more likely to work together with security to mitigate those risks. Once the credibility of security teams is demonstrated, they are seen as valued partners to the developers.
Getting engineering leadership (and the board) aligned with application security
Roles and responsibilities need to be very clear. Sometimes engineers are aware of security needs and there’s good awareness on their part. Other times the level of security awareness among engineers is limited. Cyber security posture is ensured when engineering teams are on the same page with security teams when it comes to cyber risk.
Security fails make the news, so engineering teams are taking it more seriously. There are also now more and better tools than there have ever been, many of them sitting within engineering environments and helping developers stay on top of security within their workflows. Engineers are learning more and more about security and what it takes to stay secure.
At Best Buy, we work hard to make sure that we don’t demand or overrule engineers unless we have to. And when there is something that needs attention, we’re always in the trenches with the engineers. We get no pleasure in finding vulnerabilities or creating more work for our engineers, and we work hard together to reduce occurrences. At every point we must remember that we all share the same concerns, are on the same side, and are working towards the same goal. On our part, and the part of the engineering teams we work with, we must have mutual faith in each other’s credibility and sense of responsibility.
We talk a lot about measuring risk. But when it comes to communication with the board, it’s been a journey. We have found that an effective way of articulating risk to the C-suite and the board is to highlight stories about cyber incidents that end up in the news and explain how we’re proactively addressing those issues. By producing reports based around the cyber headlines, we gain credibility while also educating the board. Filling gaps in security knowledge using tangible examples from real-life instances makes it easier for the board to understand security concerns. The conversation shifts from tactical to more comprehensive.
To dive deeper into how we’ve been managing our cyber risk at Best Buy, check out my keynote from The Remediation Summit, titled, “Moving from Faith-based to Risk-based Application Security.”